This quest is the guide for an AWS led event including incident response day. Using an AWS supplied, or your own AWS account, you will learn through hands-on labs in the AWS Well-Architected area of Incident Response. The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework.
- An AWS account that you are able to use for testing, that is not used for production or other purposes. NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.
This hands-on lab will guide you through how to use AWS CloudFormation to automatically configure detective controls including AWS CloudTrail, AWS Config, and Amazon GuardDuty. You will use the AWS Management Console and AWS CloudFormation to guide you through how to automate the configuration of each service.
In this workshop, you will build an environment consisting of two Amazon Linux web servers behind an application load balancer. The web servers will be running a PHP web site that contains several vulnerabilities. You will then use AWS Web Application Firewall (WAF), Amazon Inspector and AWS Systems Manager to identify the vulnerabilities and remediate them.
This hands-on lab will guide you through a number of examples of how you could use the AWS Console and Command Line Interface (CLI) for responding to a security incident. It is a best practice to be prepared for an incident, and have appropriate detective controls enabled.
Walks you through a scenario covering threat detection and automated remediation using Amazon GuardDuty; a managed threat detection service. The scenario simulates an attack that spans a few threat vectors, representing just a small sample of the threats that GuardDuty is able to detect.
This lab consists of using an open source python module for orchestrating memory acquisitions and analysis using AWS Systems Manager. It analyzes the memory dump using Rekall with the most common plugins: psaux, pstree, netstat, ifconfig, pidhashtable.
AWS Security Incident Response Guide
Find further information on the AWS website around AWS Cloud Security and in particular what your responsibilities are under the shared security model
- Ben Potter, Security Lead, Well-Architected
Licensed under the Apache 2.0 and MITnoAttr License.
Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
https://aws.amazon.com/apache2.0/
or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.